Xen project Mailing List

[PATCH 5/5] SUPPORT.md: Make all security support explicit

From: George Dunlap <george.dunlap@xxxxxxxxx>

Date: Fri, 28 Apr 2023 09:08:32 +0100

Cc: George Dunlap <george.dunlap@xxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>

Delivery-date: Fri, 28 Apr 2023 08:08:52 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The initial goal of SUPPORT.md was to help both users, and the Xen Project Security Team, determine what functionality was security supported; i.e., what kinds of security bugs would trigger an XSA. Our proposal is that as of 4.18, all functionality not explicitly listed as security supported will be considered not security supported. Add some text to that effect. The patch as written cannot be applied, since specifying "xl.cfg core functionality" is a TODO; but it should do to start a discussion. Signed-off-by: Georg Dunlap <george.dunlap@xxxxxxxxx> --- CC: Wei Liu <wl@xxxxxxx> CC: Andrew Cooper <andrew.cooper@xxxxxxxxx> CC: Jan Beulich <jbeulich@xxxxxxxx> CC: Roger Pau Monne <roger.pau@xxxxxxxxx> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> CC: Julien Grall <julien@xxxxxxx> --- SUPPORT.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/SUPPORT.md b/SUPPORT.md index aa1940e55f..fcbcb44c44 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -17,6 +17,36 @@ for the definitions of the support status levels etc. Release Notes : <a href="https://wiki.xenproject.org/wiki/Xen_Project_X.YY_Release_Notes";>RN</a> +# General security support + +An XSA will always be issued for security-related bugs which are +present in a "plain vanilla" configuration. A "plain vanilla" +configuration is defined as follows: + +* The Xen hypervisor is built from a tagged release of Xen, or a + commit which was on the tip of one of the supported stable branches. + +* The Xen hypervisor was built with the default config for the platform + +* No Xen command-line parameters were specified + +* No parameters for Xen-related drivers in the Linux kernel were specified + +* No modifications were made to the default xl.conf + +* xl.cfg files use only core functionality + +* Alternate toolstacks only activate functionality activated by the + core functionality of xl.cfg files. + +Any system outside this configuration will only be considered security +supported if the functionality is explicitly listed as supported in +this document. + +If a security-related bug exits only in a configuration listed as not +security supported, the security team will generally not issue an XSA; +the bug will simply be handled in public. + # Feature Support ## Kconfig -- 2.25.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.